Threat Insight

Account Takeover:

The Devastating Successor to Phishing Attacks

Over the past few years, targeted phishing attacks have become a widespread concern for businesses, however there is a new threat on the horizon. Lucy Ingham hears from Dr Markus Jakobsson, chief scientist at Agari, about the growing threat – and staggering losses – of account takeover attacks

In the world of cybersecurity, the threat landscape is forever changing, as criminals adjust their methods in response to greater security methods.

This is as true in attacks designed to con individual targets out of data or money via email as it is for more blanket attacks. In recent years wide-scale spoofing, where emails that are designed to look like they originate from a trusted source such as a bank or digital provider, have declined as email filters have become more sophisticated in stopping them.

In there place we have seen the rise of display name spoofing attacks, sometimes known as spear phishing attacks. This is where an attacker poses as a person known to the victim by creating a new email account with their details and sending them a plausible email asking for data or a payment.

These have proved very successful for criminals, as the recipients often assume they are receiving an email from a contact’s personal account, if they notice the difference in email at all. Furthermore, they pass through email filters completely unnoticed.

“The traditional filters are almost pointless,” explains Dr Markus Jakobsson, chief scientist at email threat protection provider Agari. “Because here's an email from somebody who does not have a record of doing bad stuff: you can't just block emails from people or strangers.”

However, companies such as Agari have developed solutions to this type of attack, by identifying emails sent with the names of familiar contacts but unfamiliar email addresses.

“We are incredibly successful. We're picking up that this looks like it came from a trusted party, but it does not come from a trusted party,” adds Jakobsson.

However, with better measures comes a change in tactic, and cybersecurity professionals are now seeing the emergence of a new kind of email attack: account takeover.

The rise of account takeover attacks

While spoofing attacks involve making an email look like it is from a recipient, account takeover is arguably far more malicious in that it involves using genuine, established email accounts.

Data breaches have been barely out of the headlines over the past year, and in many cases these breaches have exposed the account details and passwords of millions of users. Much of this data ultimately ends up on the black market, making it easy for would-be attackers to obtain the login credentials of regular email users.

“Imagine that somebody breached an email account of yours, for example it might be a Yahoo account and they just bought the credentials on the black market, or they phished you, or something happened: they managed to guess your password,” says Jakobsson.

“There's no particular company that is more vulnerable or less vulnerable; it seems like everybody is hit.”

Once attackers have access to such accounts they will comb through them, looking for details that can help them turn each account against its owner’s contacts.

“What they do, the very skilful, sophisticated attackers, is that they look at: who are your contacts and how do you know them? Who is a key player? What kind of information do you exchange with these people?” he says.

“And then they use your account to send an email to these people saying: 'oh, here's a file for you', and maybe that's a file with malware, or ‘here's an invoice for you’.

“If they have a trust relationship with you they will pay that invoice. But, of course, the invoice won't have your bank account but the attacker's bank account. So that is the latest and greatest, in the eyes of the attackers, and that's why that is coming.”

This rise has already begun. In the first three months of 2018 Agari witnessed a 300% rise in this type of attack and anticipates growth to continue.

What’s more, this is not an attack that is being focused on any particular industry.

“There's no particular company that is more vulnerable or less vulnerable; it seems like everybody is hit, sadly.”

Payment requested: the role of invoices

Account takeover most commonly involves invoices, often infiltrating the accounts of people responsible for requesting invoices or other financial data.

“That's the most common thing: to pay an invoice. They might act as if they were a vendor or an employee or somebody in power and send an invoice,” says Jakobsson.

Here any invoice-paying organisation is at risk of being tricked, particularly as the presented emails are often timed to be expected by their recipients.

“It is businesses and educational institutions, anybody who pays invoices are common victims for this attack, and it's not just large institutions,” he says.

“It's often mom and pop stores who have absolutely no IT staff, they have no background in security – they have no understanding of this. And they're getting an invoice from a party that they know, they think.

“It could even be an amount that they think is reasonable, because the attacker could have looked at an existing invoice, blocked it from being sent and then sent a replacement.”

“This theft from the federal government, not from the actual victims here. But it's incredibly successful.”

Invoices are not the only type of finance-related content attackers focus on. Taxes are also a target, which ultimately can see the government become the victim.

“During tax time, at least in the US, they're commonly asking for tax-related forms that allow them to file taxes on behalf of employees whose information they're getting,” he explains.

“They're filing taxes asking for refunds and the refunds are submitted electronically, to the attackers of course.

“This theft from the federal government, not from the actual victims here. But it's incredibly successful.”

Homeless homebuyer: the devastating form account takeover attack

Perhaps the most gut-wrenching type of account takeover attack, however, is what is known as the homeless homebuyer.

“Say that you're buying an apartment or house and you're two weeks away from closing and you have to send your downpayment to the escrow agency,” says Jakobsson.

“Now unfortunately your real estate attorney has been corrupted. Their email account has been taken over by a criminal, who now infiltrates all the email they are getting.

“So they know you're closing in two weeks. And they know the amount that you're going to pay; they know the address of the property you're buying, and they know everything. And maybe they even know that you're going to get an email from the escrow agency in one week.”

This information is enough for criminals to successfully con would-be homebuyers into transferring the entire cost of the property in question over to them, believing they are taking the final step towards buying their home.

“They send you an email posing as an escrow agency and asking you to transfer money for the house that they know you're buying,” he says.

“Of course you're going to do this. So you hurry to the bank, you send them money and that's your life savings. It's a truly devastating form of abuse.”

“That's your life savings. It's a truly devastating form of abuse.”

If a person finds they are victim to this kind of attack, they must act quickly.

“The odds are reduced and reduced over time, but if people realise that they've been had, they should just run the bank,” advises Jakobsson.

“Almost always this is about wire transfers and wire transfers actually can be reversed. It's not easy, it's not foolproof, but if you run to the bank within 24 hours there is a chance.

“And the sooner you get to the bank after this happens the greater the chance that they will be able to reverse it. It might not have gone out. It may still be in an intermediary bank and not have been delivered. It might have been delivered to the account of the criminal but not taken out yet.”

Combatting account takeover attacks

While there has been considerable focus on cybersecurity education and training to combat conventional spoofing attacks, Jakobsson does not believe this approach is effective in stopping account takeover attacks.

“Some people believe that education, in terms of awareness campaigns, is a helpful thing, but I am very sceptical,” he says.

“These attacks, they look like a colleague of yours. You can simply not be suspicious of every email from every colleague you ever get. That would make it ridiculous: you can't go on like that.”

Instead, he advocates two things: the use of security controls such as those provided by Agari or its competitors and the establishment of strict protocols for invoice payment. This would typically involve the need for a physical signature on a document for payment or an in-person confirmation that a payment is required.

“If then you're getting an invoice that is late, it's not okay for you to run down to the bank and pay it, even if it's your CEO that says you've got to do it today,” he says.

Turning the tables on attackers

For companies such as Agari that offer sophisticated email filtering services, however, blocking these emails from ever getting to their intended recipients is paramount.

“We are getting emails that they meant to send to our customers,” he says.

“These are attempts to deceive our customers and of course we block those emails from getting to our customers, and then we have algorithms that analyse them and we also have people who sit down and look at them.”

However, Agari often goes a step further, by turning the tables on the attackers in a bid to identify them and block further activities.

“Sometimes we even write email to the attackers, not from the accounts of the intended victims because we don't have access to the email accounts of these people, but rather just on an email referring to the attack email,” he says.

“We are extracting a lot of information to our cause agony for the attackers and also to learn about their whereabouts and what they do.”

This will typically involve posing as a colleague of the intended recipient, with an offer to help instead, which will lure the attacker into providing information that Agari can use.

“Now the attacker goes right to me instead, and whatever they wanted you to do, deceive you with, they will now try to deceive me,” he says.

“And when they say that we want money transferred for this invoice to that account, then what I will do is I will forward that information to the bank who now will put a freeze on any funds in that account, because that's a criminal account.

“So we are extracting a lot of information to our cause agony for the attackers and also to learn about their whereabouts and what they do.”

As Agari works with numerous banks, the company also has an insight into the banking preferences of attackers. And interestingly, not all banks are equally favoured.

“We can see criminals prefer some of the banks to others. And it's not as easy as they prefer larger banks or the banks with more branches,” he says.

“We know that there are some banks that have weaker security controls or there would not be such a clear preference for them among the attackers. We don't know what those differences are, but we can tell that some banks are doing a better job than others,” he says.

“And we're informing the banks, of course, that you should speak with your buddies over at that bank because you are doing things differently and somehow they're doing things better.”

Behind the keyboard: The typical attacker

The insights Agari gains from its work do not just extend to banking preferences. The company is also able to establish a profile of the typical attacker, which isn’t far removed from the stereotypes many people have of online scammers.

“People talk about Nigerian scammers, and it's a very apt description of this kind of crime: nine out of ten are in Nigeria,” he says.

“It's a breeding ground for this kind of crime because there's large unemployment, technically competent people without jobs, and the thousands of dollars they rob people of in the West, it's seen like a Robin Hood tactic to the locals. It doesn't seem like crime, and it's a very large amount of money there.”

“There's large unemployment, technically competent people without jobs, and the thousands of dollars they rob people of in the West, it's seen like a Robin Hood tactic to the locals.”

However, due to the targeted nature of these types of attacks, such scammers conventionally work with people on the ground in the country of the victim.

“All of the groups that we're aware of have collaborators in the US and the European community,” he says.

“They have somebody on the ground where their attacks are. And the reason is simple: they are the scouts, they are the ones who figure out who to attack, they're the ones who solve problems with bank accounts.”

It is these criminals that Agari focuses on identifying and passing the details of to law enforcement.

“These are the people who the most vulnerable when we find out who they are,” he says.

“We refer them to law enforcement and we're saying this is what we know about the criminals, their whereabouts, their IP addresses, their likely names. These are the people we're hoping to nail because they are, after all, in the country where the victims are.”

Future growth: Why account takeover attacks are only getting started

While account takeover attacks have already risen significantly, they have by no means reached their peak.

“We believe that there will be more account takeover,” says Jakobsson. “We also believe that there will be greater abuse of custom-made malware. One can buy malware on the dark web that is not recognisable by traditional anti-viruses filters simply because they haven't been distributed broadly.

“They're recompiled every time for each new criminal customer and therefore they look different to the traditional antivirus filters and these are increasingly used by these criminals, in conjunction with social engineering attacks, commonly to get a device to the account takeover stage.”

“Account takeover and the use of malware is where we're seeing a very likely growth in the next year or so.”

This combination will, he believes, fuel further growth of account takeover attacks.

“Account takeover and the use of malware is where we're seeing a very likely growth in the next year or so, and an increase of sophistication that comes with that,” he says.

“Because if you are a criminal and you access somebody's account, suddenly you know everything about them and that allows you to place very well targeted and very competent attacks on their contacts. And that makes it likely that the losses will be greater.”

This, Jakobsson argues, will fuel further and more rapid growth of the criminal sector running such attacks.

“There will be so many more mouths that could be fed by this. And people will say: ‘heck, I'm going to start, I'm going to recruit a couple of people and I'm going to run this instead of working for this dude’.

“So you're seeing so many more people starting their own criminal business than you have now. And even now it's very worrisome.”

PR nightmares: Ten of the worst corporate data breaches

LinkedIn, 2012

Hackers sold name and password info for more than 117 million accounts

Target, 2013

The personal and financial information of 110 million customers was exposed

JP Morgan, 2014

One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m

Home Depot, 2014

Hackers stole email and credit card data from more than 50 million customers

Sony, 2014

Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un

Hilton Hotels, 2015

Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data

TalkTalk, 2015

The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen

Tesco, 2016

Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts

Swift, 2016

Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve

Chipotle, 2017

Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang

LinkedIn, 2012

Hackers sold name and password info for more than 117 million accounts

Target, 2013

The personal and financial information of 110 million customers was exposed

JP Morgan, 2014

One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m

Home Depot, 2014

Hackers stole email and credit card data from more than 50 million customers

Sony, 2014

Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un

Hilton Hotels, 2015

Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data

TalkTalk, 2015

The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen

Tesco, 2016

Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts

Swift, 2016

Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve

Chipotle, 2017

Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang